should I encrypt over a private network?

should I encrypt over a private network?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
should I encrypt over a private network? marlow.andrew 05-23-2008
Posted by on May 23, 2008, 9:27 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Suppose a company has 2 sites, A and B, one is primary, the other is
secondary for DR reasons. A and B are separated significantly
geographically. Both A and B use a SAN for their data. A and B are
connected by a private network. The SAN data is replicated between A
and B over this private network using some replication product. My
question is, "should I be worried about the fact that the SAN
replication product does not do encryption?". When I raised these
concerns the answer I was given was "its a private network so its not
a problem". I am still not sure. Maybe I'm paranoid but I thought most
security jobs were inside jobs and this is made easier if the data
going over the wire is always in plaintext. But then again, data sent
around the LAN using NFS is not encrypted either.

Regards,

Andrew Marlow

Posted by Anne & Lynn Wheeler on May 23, 2008, 9:49 am
If you were  Registered and logged in, you could reply and use other advanced thread options

marlow.andrew@googlemail.com writes:
> Suppose a company has 2 sites, A and B, one is primary, the other is
> secondary for DR reasons. A and B are separated significantly
> geographically. Both A and B use a SAN for their data. A and B are
> connected by a private network. The SAN data is replicated between A
> and B over this private network using some replication product. My
> question is, "should I be worried about the fact that the SAN
> replication product does not do encryption?". When I raised these
> concerns the answer I was given was "its a private network so its not
> a problem". I am still not sure. Maybe I'm paranoid but I thought most
> security jobs were inside jobs and this is made easier if the data
> going over the wire is always in plaintext. But then again, data sent
> around the LAN using NFS is not encrypted either.

in the mid-80s, there were claims that the corporate internal network
had over half of all the link encryptors in the world (basically any
link leaving corporate premise had to be encrypted) ... this was
about the time that the size of arpanet/internet finally exceeded
the internal network (which had been larger from just about the
beginning until sometime mid-85) ... misc. posts mentioning internal
network:
http://www.garlic.com/~lynn/subnetwork.html#internalnet

in that period there was a story about a foreign consulate location, in
one of the major city, apparently was chosen because it had line-of-site
of a large microwave communication antenna array for major cross-country
communication. there were comments that a lot of foreign government
espionage was heavily intertwined with industrial espionage.

slightly earlier, in the early part of the 80s ... was looking at
deploying dial-up access into the corporate network for both (actually
major expansion for) home access (since i've had dial-up access at home
since mar70) and hotel/travel access. a detailed study found that hotel
pbx rooms were frequently especially vulnerable ... and as a result
encryption requirement was extended to all dial-up access ... which
required designing and building a custom encrypting dial-up modem for
these uses.

a lot of the internet hype seems to have distracted attention from both
other forms of external compromises as well as internal attackers.

Posted by Ertugrul =?UTF-8?B?U8O2eWxlbWV on May 26, 2008, 5:26 am
If you were  Registered and logged in, you could reply and use other advanced thread options
marlow.andrew@googlemail.com wrote:

> Suppose a company has 2 sites, A and B, one is primary, the other is
> secondary for DR reasons. A and B are separated significantly
> geographically. Both A and B use a SAN for their data. A and B are
> connected by a private network. The SAN data is replicated between A
> and B over this private network using some replication product. My
> question is, "should I be worried about the fact that the SAN
> replication product does not do encryption?". When I raised these
> concerns the answer I was given was "its a private network so its not
> a problem". I am still not sure. Maybe I'm paranoid but I thought most
> security jobs were inside jobs and this is made easier if the data
> going over the wire is always in plaintext. But then again, data sent
> around the LAN using NFS is not encrypted either.

The network is only being private in that selected people are given
access to it -- so much for the theory. In practice, the network is
just as open as all geographically diffused networks. Someone may
install wiretaps or even just connect to the network like all others.

So indeed, your worries aren't unfounded. Usually it's best to encrypt
the link using your VPN product of choice, like OpenVPN.


Regards,
Ertugrul.


--
http://ertes.de/


Posted by on May 27, 2008, 9:01 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Ertugrul S=F6ylemez wrote:
> marlow.andrew@googlemail.com wrote:
>
> > Suppose a company has 2 sites, A and B, one is primary, the other is
> > secondary for DR reasons. A and B are separated significantly
> > geographically. Both A and B use a SAN for their data. A and B are
> > connected by a private network. The SAN data is replicated between A
> > and B over this private network using some replication product.

> The network is only being private in that selected people are given
> access to it

No, not in this case. I should have been clearer. It is private
because there is dedicated circuitry. It really IS a private network,
NOT a VPN.

> In practice, the network is
> just as open as all geographically diffused networks. Someone may
> install wiretaps or even just connect to the network like all others.

I was worried about breaches originating via inside jobs. Since the
circuitry is private no-one else can connect to it easily. Wiretaps
are still a possibility.

>
> So indeed, your worries aren't unfounded. Usually it's best to encrypt
> the link using your VPN product of choice, like OpenVPN.

This is not a VPN. My understanding (and I am a beginner here) is that
all VPNs use encryption as std.

-Andrew Marlow

Posted by Ertugrul =?UTF-8?B?U8O2eWxlbWV on May 27, 2008, 10:07 am
If you were  Registered and logged in, you could reply and use other advanced thread options
marlow.andrew@googlemail.com wrote:

> > > Suppose a company has 2 sites, A and B, one is primary, the other
> > > is secondary for DR reasons. A and B are separated significantly
> > > geographically. Both A and B use a SAN for their data. A and B are
> > > connected by a private network. The SAN data is replicated between
> > > A and B over this private network using some replication product.
> >
> > The network is only being private in that selected people are given
> > access to it
>
> No, not in this case. I should have been clearer. It is private
> because there is dedicated circuitry. It really IS a private network,
> NOT a VPN.

This isn't sufficient for a network to be private.


> > In practice, the network is just as open as all geographically
> > diffused networks. Someone may install wiretaps or even just
> > connect to the network like all others.
>
> I was worried about breaches originating via inside jobs. Since the
> circuitry is private no-one else can connect to it easily. Wiretaps
> are still a possibility.

Not only are wiretaps a possibility, but anyone who manages to
comprehend the circuitry can connect to it. Unless the link is
encrypted, the network is considered public from the point of view of
security.


> > So indeed, your worries aren't unfounded. Usually it's best to
> > encrypt the link using your VPN product of choice, like OpenVPN.
>
> This is not a VPN. My understanding (and I am a beginner here) is that
> all VPNs use encryption as std.

No, a VPN (virtual private network) is just a network inside of another
network. Traditionally it was an emulation of a private network with a
private address space inside of a public network like the internet.
It's a purely virtual construct. Naturally it's a good layer to also
add encryption and authentication.


Regards,
Ertugrul.


--
http://ertes.de/


Similar ThreadsPosted
private key webmail May 17, 2005, 11:58 am
private post December 12, 2005, 12:47 pm
How do I export only private keys in PGP? August 6, 2005, 7:45 am
Internet Vs Private Networks June 26, 2007, 6:20 am
Hackers use Google to get private information May 26, 2006, 1:56 pm
SSL certs - all private keys in one hand? June 2, 2006, 8:51 am
Obtaining Private Key out of a JKCS8 file September 3, 2007, 4:33 am
Network Restructuring (Network Design and Equipment) May 16, 2006, 9:38 am
Encrypting with public key does NOT require private key during de-cryption!!! August 9, 2005, 4:11 pm
help understanding public/private keys certs September 3, 2007, 4:57 am

The site map in XML format XML site map

Contact Us | Privacy Policy